In recent years, it has become increasingly difficult to detect malicious activity on networks. The sophistication of intrusions has increased substantially, as entities with greater resources, such as organized crime and state actors, have directed resources towards developing new modes of intrusions.
For example, a common type of targeted cyber attack often begins with an outside attacker coaxing a target (e.g., an individual or an employee of an organization/company) to perform an action on a computer that will infect the employee's host computer. Such actions may include, for example, clicking a web link at a malicious web site or opening an email attachment which contains an infected file. In this way, an outside attacking entity, which created the malicious link or email attachment, can effectively gain control and breach a user's computer without attempting to penetrate traditional security defenses, such as a firewall.
Once the user's computer has been breached, it can be used by the outside attacker as platform for launching deeper attacks on the organization's network and/or servers. One of the common progressions of this type of attack is that the external attacker takes remote control of the user's host (e.g. computer) and manually directs reconnaissance and attack activities from out-to-in.
Clearly, a serious violation of computer security occurs when an external attacker takes manual control of a host inside an organization's network. As such, there is a great need for approaches that effectively and efficiently identify these types of attacks.